No problemo, you are welcome. As of today the bug is still open, but yesterday Robert Ancell posted an in-progress-fix to some repo (don't think it's the main one yet). If testing of this latest bugfix goes well, maybe the official mir will have the bug fully resolved in a few days? Official release is not expected until ubuntu 13.10, but October is right around the corner.
Note that this bug, discovered in June, has never been one of the 'target' aka milestone bugs, for ubuntu 13.07 thru 13.09 -- see https://launchpad.net/ubuntu/+milestone/ubuntu-13.10 Furthermore, although security is mentioned from time to time in the target-lists, it does not seem to be the priority, for instance AppArmor here... https://blueprints.launchpad.net/ubuntu/+spec/security-s-appisolation-display-manager ... which is now deferred (until after the 13.10 release presumably)
Note that, although in terms of the *overall* concerns related to the 13.10 release, security seems to take a back seat (at least from my limited glance at the buglist and milestones), the mir sub-project itself seems to be taking it somewhat seriously. As of today, the first bug on the mir buglist is 'xmir rcvs input from vt' -- https://bugs.launchpad.net/mir -- and it was targeted for the mir v0.10 release here -- https://launchpad.net/mir/+milestone/0.0.10
The security warning status of the Ubuntu documentation is still hit and miss. Here is a good page, which tells you right at the top about the potential security risk, as well as driver support and other necessities: https://wiki.ubuntu.com/Mir/Installing By contrast, if you instead were on this page, http://unity.ubuntu.com/mir/ , you get no warning at all. "If you just want to try out mir, or write client applications, then the easiest way is to use the pre-built packages" Maybe you get a warning after you actually download and install said pre-built packages? Sloppy, though, either way.
I understand that Canonical is trying to get Mir alpha-tested by as many endusers as possible before it is released as the default for 13.10 (which itself is pretty much a beta-test of mir for the LTS 14.04 release that will happen early next year). But I'd be happier if they did not cut documentation-corners with security-related bugs. Not acceptable that the desire to ship early and often is sometimes trumping the desire to keep endusers from revealing their passwords to the internet. Security precautions should apply to alpha-testing folks, not just LTS users next year.
Re: only users running Xmir *and* using VTs *and* chat apps are impacted
Note that this bug, discovered in June, has never been one of the 'target' aka milestone bugs, for ubuntu 13.07 thru 13.09 -- see https://launchpad.net/ubuntu/+milestone/ubuntu-13.10 Furthermore, although security is mentioned from time to time in the target-lists, it does not seem to be the priority, for instance AppArmor here... https://blueprints.launchpad.net/ubuntu/+spec/security-s-appisolation-display-manager ... which is now deferred (until after the 13.10 release presumably)
Note that, although in terms of the *overall* concerns related to the 13.10 release, security seems to take a back seat (at least from my limited glance at the buglist and milestones), the mir sub-project itself seems to be taking it somewhat seriously. As of today, the first bug on the mir buglist is 'xmir rcvs input from vt' -- https://bugs.launchpad.net/mir -- and it was targeted for the mir v0.10 release here -- https://launchpad.net/mir/+milestone/0.0.10
The security warning status of the Ubuntu documentation is still hit and miss. Here is a good page, which tells you right at the top about the potential security risk, as well as driver support and other necessities: https://wiki.ubuntu.com/Mir/Installing By contrast, if you instead were on this page, http://unity.ubuntu.com/mir/ , you get no warning at all. "If you just want to try out mir, or write client applications, then the easiest way is to use the pre-built packages" Maybe you get a warning after you actually download and install said pre-built packages? Sloppy, though, either way.
I understand that Canonical is trying to get Mir alpha-tested by as many endusers as possible before it is released as the default for 13.10 (which itself is pretty much a beta-test of mir for the LTS 14.04 release that will happen early next year). But I'd be happier if they did not cut documentation-corners with security-related bugs. Not acceptable that the desire to ship early and often is sometimes trumping the desire to keep endusers from revealing their passwords to the internet. Security precautions should apply to alpha-testing folks, not just LTS users next year.